CVE-2018-19993
Description
Reflected XSS in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script via the transphrase parameter in public/notice.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script via the transphrase parameter in public/notice.php.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in Dolibarr version 8.0.2. The flaw resides in the public/notice.php script, where the transphrase parameter is echoed without proper sanitization. The code path is reachable without authentication (NOLOGIN defined) and does not require any special configuration. The vulnerable code directly prints the value of GETPOST('transphrase') without applying HTML encoding or validation [2][3].
Exploitation
An attacker can exploit this by crafting a URL containing malicious JavaScript in the transphrase parameter. No authentication is required, and the attacker only needs to trick a victim into clicking the crafted link. The script executes in the context of the victim's browser, allowing the attacker to perform actions such as stealing session cookies or redirecting to malicious sites. The fix in commit fc3fcc5 applies the 'alphanohtml' filter to both transphrase and transkey parameters, which strips HTML tags [3].
Impact
Successful exploitation allows an attacker to execute arbitrary web script or HTML in the victim's browser. This can lead to session hijacking, defacement, or phishing attacks within the Dolibarr application context. The impact is limited to the user's session and does not directly affect server-side data, but it can compromise user credentials and sensitive information.
Mitigation
The vulnerability was fixed in Dolibarr version 8.0.3 or later. The commit fc3fcc5455d9a610b85723e89e8be43a41ad1378 addresses the issue by sanitizing input with the 'alphanohtml' filter [3]. Users should upgrade to a patched version. If upgrading is not immediately possible, administrators can apply the patch manually or restrict access to public/notice.php via web server rules. No workaround is provided in the references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 8.0.4 | 8.0.4 |
Affected products
2Patches
1fc3fcc5455d9FIX CVE-2018-19993
1 file changed · +7 −7
htdocs/public/notice.php+7 −7 modified@@ -1,5 +1,5 @@ <?php -/* Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net> +/* Copyright (C) 2016-2018 Laurent Destailleur <eldy@users.sourceforge.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -19,13 +19,13 @@ * \file htdocs/public/notice.php * \brief Dolibarr page to show a notice. * Default notice is a message to say network connection is off. - * You can also call this page with URL: + * You can also call this page with URL: * /public/notice.php?lang=xx_XX&transkey=translation_key (key must be inside file main.lang, error.lang or other.lang) * /public/notice.php?transphrase=url_encoded_sentence_to_show */ define('NOCSRFCHECK',1); -define('NOLOGIN',1); +define('NOLOGIN',1); require '../main.inc.php'; @@ -34,7 +34,7 @@ * View */ -if (! GETPOST('transkey') && ! GETPOST('transphrase')) +if (! GETPOST('transkey','alphanohtml') && ! GETPOST('transphrase','alphanohtml')) { print 'Sorry, it seems your internet connexion is off.<br>'; print 'You need to be connected to network to use this software.<br>'; @@ -43,8 +43,8 @@ { $langs->load("error"); $langs->load("other"); - - if (GETPOST('transphrase')) print GETPOST('transphrase'); - if (GETPOST('transkey')) print $langs->trans(GETPOST('transkey')); + + if (GETPOST('transphrase','alphanohtml')) print GETPOST('transphrase','alphanohtml'); + if (GETPOST('transkey','alphanohtml')) print $langs->trans(GETPOST('transkey','alphanohtml')); }
Vulnerability mechanics
Root cause
"Missing input sanitization — the `transphrase` and `transkey` parameters are echoed directly into the HTML response without neutralization."
Attack vector
An attacker can craft a URL such as `/public/notice.php?transphrase=
Affected code
The vulnerable file is `htdocs/public/notice.php` in Dolibarr 8.0.2. The `GETPOST('transphrase')` and `GETPOST('transkey')` calls on lines 37, 47, and 48 directly output user-supplied parameter values without any sanitization or encoding [patch_id=1700621].
What the fix does
The patch adds the `'alphanohtml'` sanitization filter as the second argument to every `GETPOST()` call in `htdocs/public/notice.php` [patch_id=1700621]. This filter strips HTML tags from the input, preventing an attacker from injecting arbitrary script or HTML markup. The change ensures that any value supplied via `transphrase` or `transkey` is rendered as plain text rather than being interpreted as part of the page's DOM.
Preconditions
- authNo authentication required — the page defines NOLOGIN=1
- inputAttacker must trick a victim into visiting a crafted URL
- configTarget must be running Dolibarr 8.0.2
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-2gc5-3h3p-8vpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19993ghsaADVISORY
- github.com/Dolibarr/dolibarr/commit/fc3fcc5455d9a610b85723e89e8be43a41ad1378ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.